The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BIND versio security threat

Discussion in 'Bind / DNS / Nameserver Issues' started by matins007, May 16, 2009.

  1. matins007

    matins007 Member

    Jan 15, 2009
    Likes Received:
    Trophy Points:

    My website is scan on a regular basis for PCI compliance. It was all working fine for the last few monh but yesterday they found something new.

    BIND EVP_VerifyFinal() / DSA_do_verify() Return Checks Risk Port/Protocol ID

    The remote name server is affected by a signature validation weakness.

    Upgrade to BIND 9.3.6-P1 / 9.4.3-P1 / 9.5.1-P1 / 9.6.0-P1 or later.

    According to its version number, the remote installation of BIND does
    not properly check the return value from the OpenSSL library functions
    'EVP_VerifyFinal()' and 'DSA_do_verify()'. A remote attacker may be
    able to exploit this weakness to spoof answers returned from zones for
    signature checks on DSA and ECDSA keys used with SSL / TLS.

    My Update Config setting is set to Automatic (CURRENT tree). I even did a manual update but my versionis still BIND 9.3.4.

    Is there another solution then upgrading this b hand in SSH. Are they just freaking out for nothing?

    Thanks for your help on this.
  2. chirpy

    chirpy Well-Known Member

    Jun 15, 2002
    Likes Received:
    Trophy Points:
    Go on, have a guess
    It's probably a false-positive due to back-porting by the OS provider. What OS are you running? If you're running bind v9.3.4 my guess is that it's CentOS v5.3 or RHEL v5.3 (i.e. bind-9.3.4-10.P1.el5), if so, and you have your OS up to date, then it's likely a false-positive.

    One good measure with bind is not to announce its version number. You can prevent this by editing /etc/named.conf (or /var/named/chroot/etc/named.conf if you run bind-chroot) and in the options {} section set:

    version "not currently available";

    Then restart named.

Share This Page